To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 354
- compare with another revision
- download diff
- download tarball
- view history from revision 354
- Committer: Teddy Hogeborn
- Date: 2009-08-30 02:49:46 UTC
- Revision ID: teddy@fukt.bsnet.se-20090830024946-bfr985x8kmrep11j
* plugins.d/mandos-client.c (signal_received): New.
(handle_sigterm): Save signal received.
(main): Also set handler for SIGINT and SIGHUP. If exiting due to
signal, re-raise signal received instead of returning.
(handle_sigterm): Save signal received.
(main): Also set handler for SIGINT and SIGHUP. If exiting due to
signal, re-raise signal received instead of returning.
- files modified:
- TODO
added
removed
plugins.d/mandos-client.c
71
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
72
*/
73
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
74
getuid(), getgid(), setuid(),
75
75
setgid() */
76
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
77
#include <iso646.h> /* not, or, and */
142
142
.dh_bits = 1024, .priority = "SECURE256"
143
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
144
145
sig_atomic_t quit_now = 0;
146
int signal_received = 0;
147
148
145
/*
149
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
150
147
* bytes. "buffer_capacity" is how much is currently allocated,
167
164
*/
168
165
static bool init_gpgme(const char *seckey,
169
166
const char *pubkey, const char *tempdir){
167
int ret;
170
168
gpgme_error_t rc;
171
169
gpgme_engine_info_t engine_info;
172
170
175
173
* Helper function to insert pub and seckey to the engine keyring.
176
174
*/
177
175
bool import_key(const char *filename){
178
int ret;
179
176
int fd;
180
177
gpgme_data_t pgp_data;
181
178
252
249
return false;
253
250
}
254
251
255
return true;
252
return true;
256
253
}
257
254
258
255
/*
477
474
static int init_gnutls_session(gnutls_session_t *session){
478
475
int ret;
479
476
/* GnuTLS session creation */
480
do {
481
ret = gnutls_init(session, GNUTLS_SERVER);
482
if(quit_now){
483
return -1;
484
}
485
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
477
ret = gnutls_init(session, GNUTLS_SERVER);
486
478
if(ret != GNUTLS_E_SUCCESS){
487
479
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
488
480
safer_gnutls_strerror(ret));
490
482
491
483
{
492
484
const char *err;
493
do {
494
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
495
if(quit_now){
496
gnutls_deinit(*session);
497
return -1;
498
}
499
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
500
486
if(ret != GNUTLS_E_SUCCESS){
501
487
fprintf(stderr, "Syntax error at: %s\n", err);
502
488
fprintf(stderr, "GnuTLS error: %s\n",
506
492
}
507
493
}
508
494
509
do {
510
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
511
mc.cred);
512
if(quit_now){
513
gnutls_deinit(*session);
514
return -1;
515
}
516
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
517
497
if(ret != GNUTLS_E_SUCCESS){
518
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
519
499
safer_gnutls_strerror(ret));
522
502
}
523
503
524
504
/* ignore client certificate if any. */
525
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
526
507
527
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
528
509
533
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
534
515
__attribute__((unused)) const char *txt){}
535
516
517
sig_atomic_t quit_now = 0;
518
int signal_received = 0;
519
536
520
/* Called when a Mandos server is found */
537
521
static int start_mandos_communication(const char *ip, uint16_t port,
538
522
AvahiIfIndex if_index,
539
523
int af){
540
int ret, tcp_sd = -1;
524
int ret, tcp_sd;
541
525
ssize_t sret;
542
526
union {
543
527
struct sockaddr_in in;
544
528
struct sockaddr_in6 in6;
545
529
} to;
546
530
char *buffer = NULL;
547
char *decrypted_buffer = NULL;
531
char *decrypted_buffer;
548
532
size_t buffer_length = 0;
549
533
size_t buffer_capacity = 0;
534
ssize_t decrypted_buffer_size;
550
535
size_t written;
551
int retval = -1;
536
int retval = 0;
552
537
gnutls_session_t session;
553
538
int pf; /* Protocol family */
554
539
555
if(quit_now){
556
return -1;
557
}
558
559
540
switch(af){
560
541
case AF_INET6:
561
542
pf = PF_INET6;
581
562
tcp_sd = socket(pf, SOCK_STREAM, 0);
582
563
if(tcp_sd < 0){
583
564
perror("socket");
584
goto mandos_end;
585
}
586
587
if(quit_now){
588
goto mandos_end;
565
return -1;
589
566
}
590
567
591
568
memset(&to, 0, sizeof(to));
598
575
}
599
576
if(ret < 0 ){
600
577
perror("inet_pton");
601
goto mandos_end;
578
return -1;
602
579
}
603
580
if(ret == 0){
604
581
fprintf(stderr, "Bad address: %s\n", ip);
605
goto mandos_end;
582
return -1;
606
583
}
607
584
if(af == AF_INET6){
608
585
to.in6.sin6_port = htons(port); /* Spurious warnings from
615
592
if(if_index == AVAHI_IF_UNSPEC){
616
593
fprintf(stderr, "An IPv6 link-local address is incomplete"
617
594
" without a network interface\n");
618
goto mandos_end;
595
return -1;
619
596
}
620
597
/* Set the network interface number as scope */
621
598
to.in6.sin6_scope_id = (uint32_t)if_index;
626
603
-Wunreachable-code */
627
604
}
628
605
629
if(quit_now){
630
goto mandos_end;
631
}
632
633
606
if(debug){
634
607
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
635
608
char interface[IF_NAMESIZE];
662
635
}
663
636
}
664
637
665
if(quit_now){
666
goto mandos_end;
667
}
668
669
638
if(af == AF_INET6){
670
639
ret = connect(tcp_sd, &to.in6, sizeof(to));
671
640
} else {
673
642
}
674
643
if(ret < 0){
675
644
perror("connect");
676
goto mandos_end;
677
}
678
679
if(quit_now){
680
goto mandos_end;
645
return -1;
681
646
}
682
647
683
648
const char *out = mandos_protocol_version;
688
653
out_size - written));
689
654
if(ret == -1){
690
655
perror("write");
656
retval = -1;
691
657
goto mandos_end;
692
658
}
693
659
written += (size_t)ret;
701
667
break;
702
668
}
703
669
}
704
705
if(quit_now){
706
goto mandos_end;
707
}
708
670
}
709
671
710
672
if(debug){
711
673
fprintf(stderr, "Establishing TLS session with %s\n", ip);
712
674
}
713
675
714
if(quit_now){
715
goto mandos_end;
716
}
717
718
676
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
719
677
720
if(quit_now){
721
goto mandos_end;
722
}
723
724
do {
678
do{
725
679
ret = gnutls_handshake(session);
726
if(quit_now){
727
goto mandos_end;
728
}
729
680
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
730
681
731
682
if(ret != GNUTLS_E_SUCCESS){
733
684
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
734
685
gnutls_perror(ret);
735
686
}
687
retval = -1;
736
688
goto mandos_end;
737
689
}
738
690
744
696
}
745
697
746
698
while(true){
747
748
if(quit_now){
749
goto mandos_end;
750
}
751
752
699
buffer_capacity = incbuffer(&buffer, buffer_length,
753
700
buffer_capacity);
754
701
if(buffer_capacity == 0){
755
702
perror("incbuffer");
756
goto mandos_end;
757
}
758
759
if(quit_now){
703
retval = -1;
760
704
goto mandos_end;
761
705
}
762
706
771
715
case GNUTLS_E_AGAIN:
772
716
break;
773
717
case GNUTLS_E_REHANDSHAKE:
774
do {
718
do{
775
719
ret = gnutls_handshake(session);
776
777
if(quit_now){
778
goto mandos_end;
779
}
780
720
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
781
721
if(ret < 0){
782
722
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
783
723
gnutls_perror(ret);
724
retval = -1;
784
725
goto mandos_end;
785
726
}
786
727
break;
787
728
default:
788
729
fprintf(stderr, "Unknown error while reading data from"
789
730
" encrypted session with Mandos server\n");
731
retval = -1;
790
732
gnutls_bye(session, GNUTLS_SHUT_RDWR);
791
733
goto mandos_end;
792
734
}
799
741
fprintf(stderr, "Closing TLS session\n");
800
742
}
801
743
802
if(quit_now){
803
goto mandos_end;
804
}
805
806
do {
807
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
808
if(quit_now){
809
goto mandos_end;
810
}
811
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
744
gnutls_bye(session, GNUTLS_SHUT_RDWR);
812
745
813
746
if(buffer_length > 0){
814
ssize_t decrypted_buffer_size;
815
747
decrypted_buffer_size = pgp_packet_decrypt(buffer,
816
748
buffer_length,
817
749
&decrypted_buffer);
818
750
if(decrypted_buffer_size >= 0){
819
820
751
written = 0;
821
752
while(written < (size_t) decrypted_buffer_size){
822
if(quit_now){
823
goto mandos_end;
824
}
825
826
753
ret = (int)fwrite(decrypted_buffer + written, 1,
827
754
(size_t)decrypted_buffer_size - written,
828
755
stdout);
831
758
fprintf(stderr, "Error writing encrypted data: %s\n",
832
759
strerror(errno));
833
760
}
834
goto mandos_end;
761
retval = -1;
762
break;
835
763
}
836
764
written += (size_t)ret;
837
765
}
838
retval = 0;
766
free(decrypted_buffer);
767
} else {
768
retval = -1;
839
769
}
770
} else {
771
retval = -1;
840
772
}
841
773
842
774
/* Shutdown procedure */
843
775
844
776
mandos_end:
845
free(decrypted_buffer);
846
777
free(buffer);
847
if(tcp_sd >= 0){
848
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
849
}
778
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
850
779
if(ret == -1){
851
780
perror("close");
852
781
}
853
782
gnutls_deinit(session);
854
if(quit_now){
855
retval = -1;
856
}
857
783
return retval;
858
784
}
859
785
922
848
/* Called whenever a new services becomes available on the LAN or
923
849
is removed from the LAN */
924
850
925
if(quit_now){
926
return;
927
}
928
929
851
switch(event){
930
852
default:
931
853
case AVAHI_BROWSER_FAILURE:
998
920
bool gpgme_initialized = false;
999
921
float delay = 2.5f;
1000
922
1001
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
923
struct sigaction old_sigterm_action;
1002
924
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1003
925
1004
uid = getuid();
1005
gid = getgid();
1006
1007
/* Lower any group privileges we might have, just to be safe */
1008
errno = 0;
1009
ret = setgid(gid);
1010
if(ret == -1){
1011
perror("setgid");
1012
}
1013
1014
/* Lower user privileges (temporarily) */
1015
errno = 0;
1016
ret = seteuid(uid);
1017
if(ret == -1){
1018
perror("seteuid");
1019
}
1020
1021
if(quit_now){
1022
goto end;
1023
}
1024
1025
926
{
1026
927
struct argp_option options[] = {
1027
928
{ .name = "debug", .key = 128,
1154
1055
exitcode = EXIT_FAILURE;
1155
1056
goto end;
1156
1057
}
1157
/* Need to check if the handler is SIG_IGN before handling:
1158
| [[info:libc:Initial Signal Actions]] |
1159
| [[info:libc:Basic Signal Handling]] |
1160
*/
1161
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1162
if(ret == -1){
1163
perror("sigaction");
1164
return EXIT_FAILURE;
1165
}
1166
if(old_sigterm_action.sa_handler != SIG_IGN){
1167
ret = sigaction(SIGINT, &sigterm_action, NULL);
1168
if(ret == -1){
1169
perror("sigaction");
1170
exitcode = EXIT_FAILURE;
1171
goto end;
1172
}
1173
}
1174
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1175
if(ret == -1){
1176
perror("sigaction");
1177
return EXIT_FAILURE;
1178
}
1179
if(old_sigterm_action.sa_handler != SIG_IGN){
1180
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1181
if(ret == -1){
1182
perror("sigaction");
1183
exitcode = EXIT_FAILURE;
1184
goto end;
1185
}
1186
}
1187
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1188
if(ret == -1){
1189
perror("sigaction");
1190
return EXIT_FAILURE;
1191
}
1192
if(old_sigterm_action.sa_handler != SIG_IGN){
1193
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1194
if(ret == -1){
1195
perror("sigaction");
1196
exitcode = EXIT_FAILURE;
1197
goto end;
1198
}
1058
ret = sigaction(SIGINT, &sigterm_action, &old_sigterm_action);
1059
if(ret == -1){
1060
perror("sigaction");
1061
exitcode = EXIT_FAILURE;
1062
goto end;
1063
}
1064
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1065
if(ret == -1){
1066
perror("sigaction");
1067
exitcode = EXIT_FAILURE;
1068
goto end;
1069
}
1070
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1071
if(ret == -1){
1072
perror("sigaction");
1073
exitcode = EXIT_FAILURE;
1074
goto end;
1199
1075
}
1200
1076
1201
1077
/* If the interface is down, bring it up */
1211
1087
goto end;
1212
1088
}
1213
1089
1214
/* Re-raise priviliges */
1215
errno = 0;
1216
ret = seteuid(0);
1217
if(ret == -1){
1218
perror("seteuid");
1219
}
1220
1221
1090
#ifdef __linux__
1222
1091
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1223
1092
messages to mess up the prompt */
1241
1110
}
1242
1111
}
1243
1112
#endif /* __linux__ */
1244
/* Lower privileges */
1245
errno = 0;
1246
ret = seteuid(uid);
1247
if(ret == -1){
1248
perror("seteuid");
1249
}
1250
1113
goto end;
1251
1114
}
1252
1115
strcpy(network.ifr_name, interface);
1262
1125
}
1263
1126
#endif /* __linux__ */
1264
1127
exitcode = EXIT_FAILURE;
1265
/* Lower privileges */
1266
errno = 0;
1267
ret = seteuid(uid);
1268
if(ret == -1){
1269
perror("seteuid");
1270
}
1271
1128
goto end;
1272
1129
}
1273
1130
if((network.ifr_flags & IFF_UP) == 0){
1286
1143
}
1287
1144
}
1288
1145
#endif /* __linux__ */
1289
/* Lower privileges */
1290
errno = 0;
1291
ret = seteuid(uid);
1292
if(ret == -1){
1293
perror("seteuid");
1294
}
1295
1146
goto end;
1296
1147
}
1297
1148
}
1325
1176
}
1326
1177
}
1327
1178
#endif /* __linux__ */
1328
/* Lower privileges */
1329
errno = 0;
1330
if(take_down_interface){
1331
/* Lower privileges */
1332
ret = seteuid(uid);
1333
if(ret == -1){
1334
perror("seteuid");
1335
}
1336
} else {
1337
/* Lower privileges permanently */
1338
ret = setuid(uid);
1339
if(ret == -1){
1340
perror("setuid");
1341
}
1342
}
1179
}
1180
1181
if(quit_now){
1182
goto end;
1183
}
1184
1185
uid = getuid();
1186
gid = getgid();
1187
1188
errno = 0;
1189
setgid(gid);
1190
if(ret == -1){
1191
perror("setgid");
1192
}
1193
1194
ret = setuid(uid);
1195
if(ret == -1){
1196
perror("setuid");
1343
1197
}
1344
1198
1345
1199
if(quit_now){
1519
1373
1520
1374
/* Take down the network interface */
1521
1375
if(take_down_interface){
1522
/* Re-raise priviliges */
1523
errno = 0;
1524
ret = seteuid(0);
1376
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1525
1377
if(ret == -1){
1526
perror("seteuid");
1378
perror("ioctl SIOCGIFFLAGS");
1379
} else if(network.ifr_flags & IFF_UP) {
1380
network.ifr_flags &= ~IFF_UP; /* clear flag */
1381
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1382
if(ret == -1){
1383
perror("ioctl SIOCSIFFLAGS");
1384
}
1527
1385
}
1528
if(geteuid() == 0){
1529
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1530
if(ret == -1){
1531
perror("ioctl SIOCGIFFLAGS");
1532
} else if(network.ifr_flags & IFF_UP) {
1533
network.ifr_flags &= ~IFF_UP; /* clear flag */
1534
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1535
if(ret == -1){
1536
perror("ioctl SIOCSIFFLAGS");
1537
}
1538
}
1539
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1540
if(ret == -1){
1541
perror("close");
1542
}
1543
/* Lower privileges permanently */
1544
errno = 0;
1545
ret = setuid(uid);
1546
if(ret == -1){
1547
perror("setuid");
1548
}
1386
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1387
if(ret == -1){
1388
perror("close");
1549
1389
}
1550
1390
}
1551
1391
1594
1434
}
1595
1435
1596
1436
if(quit_now){
1597
sigemptyset(&old_sigterm_action.sa_mask);
1598
old_sigterm_action.sa_handler = SIG_DFL;
1599
1437
ret = sigaction(signal_received, &old_sigterm_action, NULL);
1600
1438
if(ret == -1){
1601
1439
perror("sigaction");
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0